cluster/services/nginx: move acme config

cluster/services/acme-client: move acme config, wait for authoritative DNS to work
cluster/services/ways: don't render empty upstream blocks
2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00
4 changed files with 47 additions and 8 deletions
--- a/cluster/services/acme-client/client.nix
+++ b/cluster/services/acme-client/client.nix
@ -32,7 +32,10 @@ in
    owner = "acme";
  };

+  security.acme.acceptTerms = true;
+  security.acme.maxConcurrentRenewals = 0;
  security.acme.defaults = {
+    email = depot.lib.meta.adminEmail;
    extraLegoFlags = lib.flatten [
      (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
      "--dns-timeout" "30"
@ -42,4 +45,38 @@ in
      EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
    '';
  };
+
+  systemd.services = lib.mapAttrs' (name: value: {
+    name = "acme-${name}";
+    value = {
+      distributed.enable = value.dnsProvider != null;
+      preStart = let
+        serverList = lib.pipe authoritativeServers [
+          (map (x: "@${x}"))
+          (map (lib.replaceStrings [":53"] [""]))
+          lib.escapeShellArgs
+        ];
+        domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [
+          (map (x: "${x}."))
+          (map (lib.replaceStrings ["*"] ["x"]))
+          lib.unique
+          lib.escapeShellArgs
+        ];
+      in ''
+        echo Testing availability of authoritative DNS servers
+        for i in {1..60}; do
+          ${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break
+          echo Retry [$i/60]
+          sleep 10
+        done
+        echo Available
+      '';
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartMaxDelaySec = 30;
+        RestartStesp = 5;
+        RestartMode = "direct";
+      };
+    };
+  }) config.security.acme.certs;
 }
--- a/cluster/services/nginx/nginx.nix
+++ b/cluster/services/nginx/nginx.nix
@ -1,10 +1,6 @@
-{ config, depot, ... }:
+{ config, ... }:

-let
-  inherit (depot.lib.meta) adminEmail;
-in {
-  security.acme.defaults.email = adminEmail;
-  security.acme.acceptTerms = true;
+{
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
--- a/cluster/services/ways/host.nix
+++ b/cluster/services/ways/host.nix
@ -69,11 +69,16 @@ in
        {
          source = let
            upstreams = lib.mapAttrsToList (_: cfg: ''
+              {{ if ne (len (service "${cfg.consulService}~_agent")) 0 }}
+              # ${cfg.consulService}
              upstream ${cfg.nginxUpstreamName} {
                {{ range $i, $e := service "${cfg.consulService}~_agent" -}}
                server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }};
-                {{end}}
+                {{ end }}
              }
+              {{ else }}
+              # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
+              {{ end }}
            '') consulServiceWays;
          in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
          destination = "/run/consul-template/nginx-ways-upstreams.conf";
--- a/lib/nginx.nix
+++ b/lib/nginx.nix
@ -36,7 +36,8 @@

        proxyGhost = scheme: target: basic // {
          locations."/".extraConfig = ''
-            proxy_pass ${scheme}://${target};
+            set $nix_proxy_ghost_target "${scheme}://${target}";
+            proxy_pass $nix_proxy_ghost_target;
            proxy_set_header Host ${target};
            proxy_set_header Referer ${scheme}://${target};
            proxy_cookie_domain ${target} domain.invalid;
Author	SHA1	Message	Date
Max	df14a9a513	cluster/services/nginx: move acme config	2024-08-12 02:53:15 +02:00
Max	d59abfb678	cluster/services/acme-client: move acme config, wait for authoritative DNS to work	2024-08-12 02:53:15 +02:00
Max	a285c57d5b	cluster/services/ways: don't render empty upstream blocks	2024-08-12 02:53:15 +02:00
Max	415fd7f076	lib/nginx: use dynamic proxy targets in proxyGhost	2024-08-12 02:53:15 +02:00